16:01:57 RRSAgent has joined #privacy 16:01:57 logging to http://www.w3.org/2017/08/24-privacy-irc 16:01:59 RRSAgent, make logs 263 16:01:59 Zakim has joined #privacy 16:02:01 Meeting: Privacy Interest Group Teleconference 16:02:01 Date: 24 August 2017 16:02:03 rrsagent, make logs public 16:02:06 dsinger has joined #privacy 16:02:11 Waiting for folks to join the call... 16:03:05 present+ 16:03:19 present+ npdoty, dsinger, tara, keiji 16:04:08 regrets+ christine 16:04:18 https://www.w3.org/TR/webvtt1/#privacy-and-security-considerations 16:05:43 VTT: can be used for captions 16:05:53 Also timed actions 16:06:12 (e.g., flip text in time with video) 16:06:26 present+ 16:07:09 Style sheets -- if you trigger fetches of resources, you can be notified if user, say, watches a video 16:07:48 present+ dsinger 16:07:55 q+ 16:08:31 Also leaks privacy of preference (e.g., user has a need for captions or subtitles) 16:08:40 Thanks, Sam! 16:08:53 npdoty: what can we learn from the Timed Text review we did last month? can you coordinate with them? 16:08:55 (I took some notes, was short.) 16:09:03 dsinger: they have the complexity of using xml. 16:09:27 npdoty: msot of discussion last time was re: fetch. with CSS fetching is prohibited? 16:09:44 dsinger: no, you can trigger fetching of style sheets. they're static - not time-based. 16:10:02 npdoty: comparable to fetching DTD 16:10:12 ... but can't load external image? 16:10:20 disnger: right. 16:10:27 ... can't control what JS does with the trigger. 16:10:46 npdoty: anything else re: user prefs that might be revealed to JS, e.g. language? 16:10:55 dsinger: not that JS layer would not already know. 16:10:57 q+ 16:11:13 ... metadata track.... language no longer applies. 16:11:18 zakim, code? 16:11:18 I have been told this is 16:11:31 might be able to leave how user like style. 16:11:36 https://mit.webex.com/mit/j.php?MTID=meda7c1b71d647aefa4377d4610c67648 16:11:53 can probe color preferences, etc. 16:12:07 npdoty: css history sniffing had this problem - are links purple? 16:12:20 dsinger: I'm talking re: sniffing pixels on screen 16:12:35 ack np 16:12:57 npdoty: do different UAs do rendering differently? 16:13:05 dsinger: preferences affect rendering. 16:13:45 weiler: has been discussed that the issue is in "other layers" but I have seen this be a problem 16:14:31 weiler: if there is, say, a leak plugged in that layer, then we don't want to say "we're sunk because someone else has made the situation poor" 16:15:00 singer: basically agreeing, not thinking of anything off the top of his head 16:15:18 +1 that we don't want to accept a privacy leak just because it's already present somewhere else 16:16:31 npdoty: less leaks here than with, e.g., sensors 16:16:38 npdoty: if (static) documents can be used in a way that they reveal how things are loaded, etc then it's a problem, but not as big a risk as say, Javascript 16:16:52 dsinger: timed text and this would be happy to answer Q's. I think security problems are slightly more interesting. 16:16:53 present+ 16:17:02 tara: timelines? 22 Sept? 16:17:17 dsinger: we did a wide review a year ago, but doing another. 16:17:35 ... doing to CR. trouble getting people's attention because it was implemented years ago. 16:17:38 q+ to talk about apple representation in AOB 16:17:39 q? 16:17:43 s/doing/going/ 16:17:44 ack we 16:18:30 dsinger: Jason Novak works in Apple's privacy group. more individual contributor; has been managing to date. he'll be showing up more. 16:18:33 :clap: 16:18:46 agenda+ MRM calls 16:19:16 ack ds 16:19:16 dsinger, you wanted to talk about apple representation in AOB 16:19:44 weiler: asked to provide text to help team members -- security & privacy reviews 16:19:59 weiler: mentioned this team is doing privacy reviews; what else to share with AC reps? 16:20:21 dsinger: would plead for more people on the calls? 16:20:33 q+ to talk about do not track 16:20:42 npdoty: we have also asked for more systematic reviews, such as with security reviews 16:20:55 npdoty: want to assign more folks to do review (outside of call time, say) 16:21:08 weiler: that has been happening for security 16:21:20 npdoty: outreach calls is a good time to bring this up 16:21:30 and we'd love to hear the experience on security reviews 16:21:38 currently the security reviews seem to be rarely happening, for those not on the web security IG 16:21:56 weiler: had mentioned WebAuth WG was approaching CR...hoping they are going to ask for PING input 16:22:09 weiler: they have decided not to ask *yet* 16:22:13 q? 16:22:52 ack ds 16:22:52 dsinger, you wanted to talk about do not track 16:22:59 dsinger: DNT / tracking protectionW G is trying ot wrap up. 16:23:17 ... exceptions API .. for a site to be able to say "in order to do my job, I need to be able to track you"... 16:23:37 ... exceptions API went through a significant edit. wondering if we should do another review 16:23:47 ... long draft. 16:24:01 are there fingerprinting implications regarding that API? I know we had previously considered that 16:25:18 dsinger: may be able to use different exceptions on different clients in order to fingerprint. need to look at this more closely. 16:25:21 https://w3c.github.io/dnt/drafts/tracking-dnt.html 16:25:28 (or raw code: https://github.com/w3c/dnt/blob/master/drafts/tracking-dnt.html) 16:25:47 q? 16:25:55 or https://rawgit.com/w3c/dnt/master/drafts/tracking-dnt.html 16:26:10 weiler: will WG ask, or do we need to provide it proactively? 16:26:18 dsinger: they'll ask 16:26:38 weiler: TPAC plans? 16:27:51 tara: some conflicts. I'll send a request for agenda. 16:29:07 Web Security IG - really try not to overlap 16:32:04 tara: not setting the Sept date now, but we'll send it to the list soon. 16:32:22 q? 16:32:24 adjourned at 1232pm 16:32:48 s/1232pm/1632Z/ 16:32:55 rrsagent, draft minutes 16:32:55 I have made the request to generate http://www.w3.org/2017/08/24-privacy-minutes.html weiler 16:33:01 rrsagent, make logs public 16:55:11 keiji has left #privacy 17:16:17 weiler has joined #privacy